Document afs_krb5 appdefaults section

Ticket: 1192
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15484 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 786fb2ca2d8eb8d574b22d4f53ba9233f9352c78..18d239039dced340d53f7bbbc6cf231d7075d7e9 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,9 @@
+2003-05-22  Sam Hartman  <hartmans@mit.edu>
+
+       * admin.texinfo (appdefaults): Describe afs_krb5
+
+       * krb425.texinfo (AFS and the Appdefaults Section): Note about AFS and 2b tokens
+
 2003-05-13  Ken Raeburn  <raeburn@mit.edu>
 
        * definitions.texinfo: Updated DefaultSupportedEnctypes.

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index a58cf5675c4cd118d9ed7310edf28b9efba56294..d35246911006a3db30b773833b31bd6a4a7a83b1 100644 (file)
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -610,6 +610,33 @@ The list of specifiable options for each application may be found in
 that application's man pages.  The application defaults specified here
 are overridden by those specified in the [realms] section.
 
+A special application (afs_krb5) is used by the krb524 service
+to know whether new format AFS tickets based on Kerberos 5 can be used
+rather than the older format which used a converted Kerberos 4 ticket.
+The new format allows for cross-realm authentication without
+introducing a security hole.  It is used by default.  Older AFS
+servers (before OpenAFS 1.2.8) will not support the new format.  If
+servers in your cell do not support the new format you will need to
+add an @code{afs_krb5} relation to the @code{appdefaults} section.
+The following config file shows how to disable new format AFS tickets
+for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
+
+@smallexample
+@group
+[appdefaults]
+afs_krb5 = @{ 
+    EXAMPLE.COM = @{
+        afs/afs.example.com = false
+        @}
+    @}
+
+@end group
+@end smallexample
+
+
+
+
+
 @node login, realms (krb5.conf), appdefaults, krb5.conf
 @subsection [login]
 

diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo
index c239b2f541b22e73d771ecd2448b27e4282e51f5..7a7a808620ca883be3e798d9606bcea129b98eca 100644 (file)
--- a/doc/krb425.texinfo
+++ b/doc/krb425.texinfo
@@ -17,7 +17,7 @@
 
 @include definitions.texinfo
 @set EDITION 1.0
-@set UPDATED October 8, 1996
+@set UPDATED May 22, 2003
 
 @finalout                               @c don't print black warning boxes
 
@@ -101,6 +101,7 @@ nonstandard installations.
 @menu
 * libdefaults::                 
 * realms (krb5.conf)::          
+* AFS and the Appdefaults Section::  
 @end menu
 
 @node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf
@@ -122,7 +123,7 @@ Specifies the location of the Kerberos V4 domain/realm translation
 file.  Default is @value{DefaultKrb4Realms}.
 @end table
 
-@node realms (krb5.conf),  , libdefaults, krb5.conf
+@node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf
 @subsection [realms]
 
 In the [realms] section, the following Kerberos V4 tags may be used:
@@ -148,6 +149,21 @@ between the realms.
 
 @end table
 
+@node AFS and the Appdefaults Section,  , realms (krb5.conf), krb5.conf
+@subsection AFS and the Appdefaults Section
+
+Many Kerberos 4 sites also run the Andrew File System (AFS).
+
+Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format.
+This allows AFS to use Kerberos 5 tickets rather than version 4
+tickets, enabling cross-realm authentication.  By default, the
+@file{krb524d} service will issue the new AFS 2b tokens.  If you are
+using old AFS servers, you will need to disable these new tokens.
+Please see the documentation of the @code{appdefaults} section of
+@file{krb5.conf} in the Kerberos Administration guide.
+
+
+
 @node kdc.conf,  , krb5.conf, Configuration Files
 @section kdc.conf